Primary-secondary radius server configuration

selva Kathir · ‎04-21-2013

Hi all ,

I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.

radius-server host 10.0.10.15 auth-port 1645 acct-port 1646

radius-server host 10.0.10.16 auth-port 1645 acct-port 1646

radius-server key 7 aaaaaaaaaaaaaa

please help to understand what will happen in switch

1) in case of primary failure

2)in case if primary returns alive .

thanks in advance ,

Selva

Amjad Abdullah · ‎04-22-2013

Hi Selva,

You need to post all your AAA config. the above lines show you added the radius servers but it is not necessarily all server will be reached. We need to look into the AAA config to see what server groups are configured and what servers under the groups.

In general, if things are configured correctly:

- If the primary did not reply at all (down, not reachable...etc) the AAA client (switch in your case) will try the next radius server.

- If the primary server replies (with access-reject, error, ...etc) the AAA client (switch in your case) send auth failure to the host.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

selva Kathir · ‎04-22-2013

Hi Ajmad ,

Thanks a lot for your valuable reply. My aaa configuration is

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

And I mean to ask if primary radius is down then for every request whether switch will try primary first and then for secondary ??

if that happens then will it cause a slow response for clients ??

thanks ,

Selva .

Amjad Abdullah · ‎04-22-2013

Your config means all radius servers will be tested one by one if one has failure.

The info you are looking for may vary based on what switch, what model and what software you use.

You better check the config guide of your switch software that will probably answer that question or maybe paste a question in the switching forums for a more accurate answer.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

selva Kathir · ‎04-23-2013

Hi,

thanks for your response i will post this in Sitching forum as well

Rgds,

Selva .

Jatin Katyal · ‎04-22-2013

You can configure define dead time interval. During the dead-time interval, the NAD sends probe access-request packets to verify that the TACACS+ server is available and can receive authentication requests. The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the NAD retransmits the authentication request to the server.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Amjad Abdullah · ‎04-22-2013

Jatin:

We have almost same behavior of radius fallover in wireless controllers.

Do you know what username is being used for switch probe requests during the dead-time interval?

it is configurable on wireless controllers. The default is cisco-probe

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Jatin Katyal · ‎04-22-2013

unsure about the default one but this is configurable on IOS as well.

Jatin Katyal
- Do rate helpful posts -

~Jatin

selva Kathir · ‎04-23-2013

Hi katyal ,

Thanks for your reply !!

Can you please elaborate what will happen if primary server fails ??

what will happen if comes back alive ?

Rgds ,

Selva.